From eba4a83a5e3ccd54e232ecea90472b345342911c Mon Sep 17 00:00:00 2001 From: Lance Haig Date: Fri, 27 Sep 2019 09:12:49 +0200 Subject: [PATCH 1/7] Add the Service Principal Application id to the access policy. THis allows the service principal to add the SSL certificates to the keyvault. --- examples/bootstrap-azure/README.md | 1 + examples/bootstrap-azure/key_vault.tf | 78 +++++++++++++++++++-------- examples/bootstrap-azure/variables.tf | 6 ++- 3 files changed, 62 insertions(+), 23 deletions(-) diff --git a/examples/bootstrap-azure/README.md b/examples/bootstrap-azure/README.md index 1bfb3fb..8cecd4b 100644 --- a/examples/bootstrap-azure/README.md +++ b/examples/bootstrap-azure/README.md @@ -11,6 +11,7 @@ The only required inputs are a object-id and tenant-id to give access to the key |------|-------------|:----:|:-----:|:-----:| | key\_vault\_object\_id | The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault. | string | n/a | yes | | key\_vault\_tenant\_id | The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. | string | n/a | yes | +| application\_id | The application ID of the service principal for the vault. | string | n/a | yes | | additional\_tags | A map of additional tags to attach to all resources created. | map | `{}` | no | | address\_space | CIDR block range to use for the network. | string | `"10.0.0.0/16"` | no | | address\_space\_allowlist | CIDR block range to use to allow traffic from | string | `"*"` | no | diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index 593e2a6..61ac5f3 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -7,28 +7,62 @@ resource "azurerm_key_vault" "new" { tags = "${local.tags}" enabled_for_deployment = true enabled_for_template_deployment = true +} - access_policy { - tenant_id = "${var.key_vault_tenant_id}" - object_id = "${var.key_vault_object_id}" - - certificate_permissions = [ - "get", - "list", - "create", - "delete", - ] - - key_permissions = [ - "get", - "list", - "create", - ] - secret_permissions = [ - "get", - "list", - "set", - ] - } +resource "azurerm_key_vault_access_policy" "new-user" { + key_vault_id = "${azurerm_key_vault.new.id}" + tenant_id = "${var.key_vault_tenant_id}" + object_id = "${var.key_vault_object_id}" + key_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + secret_permissions = [ + "get", + "list", + "set", + "delete", + ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] } + +resource "azurerm_key_vault_access_policy" "new-app" { + key_vault_id = "${azurerm_key_vault.new.id}" + tenant_id = "${var.key_vault_tenant_id}" + object_id = "${var.key_vault_object_id}" + application_id = "${var.application_id}" + key_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + secret_permissions = [ + "get", + "list", + "set", + "delete", + ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] +} \ No newline at end of file diff --git a/examples/bootstrap-azure/variables.tf b/examples/bootstrap-azure/variables.tf index 47bde30..9bd8814 100644 --- a/examples/bootstrap-azure/variables.tf +++ b/examples/bootstrap-azure/variables.tf @@ -34,7 +34,11 @@ variable "key_vault_tenant_id" { } variable "key_vault_object_id" { - description = "The object ID of a user, service principal or security group in the Azure Active Directory tenant for the vault." + description = "The object ID of the service principal for the vault." +} + +variable "application_id" { + description = "The application ID of the service principal for the vault." } locals { From e17be74fda2c3ceba714323201e665ce2c91705a Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Thu, 7 Nov 2019 22:34:54 +1100 Subject: [PATCH 2/7] add tf authed user to keyvault access list --- examples/bootstrap-azure/key_vault.tf | 59 ++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 2 deletions(-) diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index 61ac5f3..94fd557 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -1,15 +1,68 @@ +# read in current AzureRM client config so we can give it some permissions wrt the Keyvault. +data "azurerm_client_config" "current" {} + resource "azurerm_key_vault" "new" { name = "${local.prefix}" resource_group_name = "${azurerm_resource_group.new.name}" location = "${var.location}" sku_name = "standard" - tenant_id = "${var.key_vault_tenant_id}" + tenant_id = "${var.key_vault_tenant_id}" # The Azure Active Directory tenant ID that should be used for authenticating requests to the key vault. tags = "${local.tags}" enabled_for_deployment = true enabled_for_template_deployment = true } +# access policy for the ecurrent signed in user building the vault. +resource "azurerm_key_vault_access_policy" "new-user" { + key_vault_id = "${azurerm_key_vault.new.id}" + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + key_permissions = [ + "backup", + "create", + "decrypt", + "delete", + "encrypt", + "get", + "import", + "list", + "purge", + "recover", + "restore", + "sign", + "unwrapKey", + "update", + "verify", + "wrapKey", + ] + + secret_permissions = [ + "backup", + "delete", + "get", + "list", + "purge", + "recover", + "restore", + "set", + ] + certificate_permissions = [ + "create", + "delete", + "deleteissuers", + "get", + "getissuers", + "import", + "list", + "listissuers", + "managecontacts", + "manageissuers", + "setissuers", + "update", + ] +} +# access policy for the required/created/dedicated/selected keyvault SP user resource "azurerm_key_vault_access_policy" "new-user" { key_vault_id = "${azurerm_key_vault.new.id}" tenant_id = "${var.key_vault_tenant_id}" @@ -38,6 +91,7 @@ resource "azurerm_key_vault_access_policy" "new-user" { ] } +# access policy for the required/created/dedicated/selected keyvault SP user resource "azurerm_key_vault_access_policy" "new-app" { key_vault_id = "${azurerm_key_vault.new.id}" tenant_id = "${var.key_vault_tenant_id}" @@ -65,4 +119,5 @@ resource "azurerm_key_vault_access_policy" "new-app" { "import", "delete", ] -} \ No newline at end of file +} + From b46f3c834f7b38c95d5e577b3f9e9cc30a7899d2 Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Fri, 8 Nov 2019 08:31:13 +1100 Subject: [PATCH 3/7] fix duped name on new access_policy resource --- examples/bootstrap-azure/key_vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index 94fd557..bbf4fcc 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -13,7 +13,7 @@ resource "azurerm_key_vault" "new" { } # access policy for the ecurrent signed in user building the vault. -resource "azurerm_key_vault_access_policy" "new-user" { +resource "azurerm_key_vault_access_policy" "tf-user" { key_vault_id = "${azurerm_key_vault.new.id}" tenant_id = "${data.azurerm_client_config.current.tenant_id}" object_id = "${data.azurerm_client_config.current.service_principal_object_id}" From 73c48f9f1e52ee02efceb40b191c37f74e72bec6 Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Fri, 8 Nov 2019 10:50:03 +1100 Subject: [PATCH 4/7] moved kv access policies to kv resource --- examples/bootstrap-azure/key_vault.tf | 240 ++++++++++++++++++-------- 1 file changed, 171 insertions(+), 69 deletions(-) diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index bbf4fcc..75f3437 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -10,14 +10,11 @@ resource "azurerm_key_vault" "new" { tags = "${local.tags}" enabled_for_deployment = true enabled_for_template_deployment = true -} -# access policy for the ecurrent signed in user building the vault. -resource "azurerm_key_vault_access_policy" "tf-user" { - key_vault_id = "${azurerm_key_vault.new.id}" - tenant_id = "${data.azurerm_client_config.current.tenant_id}" - object_id = "${data.azurerm_client_config.current.service_principal_object_id}" - key_permissions = [ + access_policy { # access policy for the current signed in user building the vault. + tenant_id = "${data.azurerm_client_config.current.tenant_id}" + object_id = "${data.azurerm_client_config.current.service_principal_object_id}" + key_permissions = [ "backup", "create", "decrypt", @@ -34,9 +31,8 @@ resource "azurerm_key_vault_access_policy" "tf-user" { "update", "verify", "wrapKey", - ] - - secret_permissions = [ + ] + secret_permissions = [ "backup", "delete", "get", @@ -45,7 +41,7 @@ resource "azurerm_key_vault_access_policy" "tf-user" { "recover", "restore", "set", - ] + ] certificate_permissions = [ "create", "delete", @@ -59,65 +55,171 @@ resource "azurerm_key_vault_access_policy" "tf-user" { "manageissuers", "setissuers", "update", - ] -} + ] + } + + access_policy { # access policy for the required/created/dedicated/selected keyvault SP user + tenant_id = "${var.key_vault_tenant_id}" + object_id = "${var.key_vault_object_id}" + key_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + secret_permissions = [ + "get", + "list", + "set", + "delete", + ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + } -# access policy for the required/created/dedicated/selected keyvault SP user -resource "azurerm_key_vault_access_policy" "new-user" { - key_vault_id = "${azurerm_key_vault.new.id}" - tenant_id = "${var.key_vault_tenant_id}" - object_id = "${var.key_vault_object_id}" - key_permissions = [ - "get", - "list", - "update", - "create", - "import", - "delete", - ] - secret_permissions = [ - "get", - "list", - "set", - "delete", - ] - certificate_permissions = [ - "get", - "list", - "update", - "create", - "import", - "delete", - ] + access_policy { # access policy for the required/created/dedicated/selected keyvault SP user + tenant_id = "${var.key_vault_tenant_id}" + object_id = "${var.key_vault_object_id}" + application_id = "${var.application_id}" + key_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + secret_permissions = [ + "get", + "list", + "set", + "delete", + ] + certificate_permissions = [ + "get", + "list", + "update", + "create", + "import", + "delete", + ] + } } -# access policy for the required/created/dedicated/selected keyvault SP user -resource "azurerm_key_vault_access_policy" "new-app" { - key_vault_id = "${azurerm_key_vault.new.id}" - tenant_id = "${var.key_vault_tenant_id}" - object_id = "${var.key_vault_object_id}" - application_id = "${var.application_id}" - key_permissions = [ - "get", - "list", - "update", - "create", - "import", - "delete", - ] - secret_permissions = [ - "get", - "list", - "set", - "delete", - ] - certificate_permissions = [ - "get", - "list", - "update", - "create", - "import", - "delete", - ] -} +# # access policy for the current signed in user building the vault. +# resource "azurerm_key_vault_access_policy" "tf-user" { +# key_vault_id = "${azurerm_key_vault.new.id}" +# tenant_id = "${data.azurerm_client_config.current.tenant_id}" +# object_id = "${data.azurerm_client_config.current.service_principal_object_id}" +# key_permissions = [ +# "backup", +# "create", +# "decrypt", +# "delete", +# "encrypt", +# "get", +# "import", +# "list", +# "purge", +# "recover", +# "restore", +# "sign", +# "unwrapKey", +# "update", +# "verify", +# "wrapKey", +# ] + +# secret_permissions = [ +# "backup", +# "delete", +# "get", +# "list", +# "purge", +# "recover", +# "restore", +# "set", +# ] +# certificate_permissions = [ +# "create", +# "delete", +# "deleteissuers", +# "get", +# "getissuers", +# "import", +# "list", +# "listissuers", +# "managecontacts", +# "manageissuers", +# "setissuers", +# "update", +# ] +# } + +# # access policy for the required/created/dedicated/selected keyvault SP user +# resource "azurerm_key_vault_access_policy" "new-user" { +# key_vault_id = "${azurerm_key_vault.new.id}" +# tenant_id = "${var.key_vault_tenant_id}" +# object_id = "${var.key_vault_object_id}" +# key_permissions = [ +# "get", +# "list", +# "update", +# "create", +# "import", +# "delete", +# ] +# secret_permissions = [ +# "get", +# "list", +# "set", +# "delete", +# ] +# certificate_permissions = [ +# "get", +# "list", +# "update", +# "create", +# "import", +# "delete", +# ] +# } + +# # access policy for the required/created/dedicated/selected keyvault SP user +# resource "azurerm_key_vault_access_policy" "new-app" { +# key_vault_id = "${azurerm_key_vault.new.id}" +# tenant_id = "${var.key_vault_tenant_id}" +# object_id = "${var.key_vault_object_id}" +# application_id = "${var.application_id}" +# key_permissions = [ +# "get", +# "list", +# "update", +# "create", +# "import", +# "delete", +# ] +# secret_permissions = [ +# "get", +# "list", +# "set", +# "delete", +# ] +# certificate_permissions = [ +# "get", +# "list", +# "update", +# "create", +# "import", +# "delete", +# ] +# } From 9d75152503f8dd03d6a898d21d7a4d0e4c951686 Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Tue, 12 Nov 2019 15:27:40 +1100 Subject: [PATCH 5/7] add kv suffix to keyvault --- examples/bootstrap-azure/key_vault.tf | 112 +------------------------- 1 file changed, 1 insertion(+), 111 deletions(-) diff --git a/examples/bootstrap-azure/key_vault.tf b/examples/bootstrap-azure/key_vault.tf index 75f3437..26001a0 100644 --- a/examples/bootstrap-azure/key_vault.tf +++ b/examples/bootstrap-azure/key_vault.tf @@ -2,7 +2,7 @@ data "azurerm_client_config" "current" {} resource "azurerm_key_vault" "new" { - name = "${local.prefix}" + name = "${local.prefix}-kv" resource_group_name = "${azurerm_resource_group.new.name}" location = "${var.location}" sku_name = "standard" @@ -113,113 +113,3 @@ resource "azurerm_key_vault" "new" { ] } } - -# # access policy for the current signed in user building the vault. -# resource "azurerm_key_vault_access_policy" "tf-user" { -# key_vault_id = "${azurerm_key_vault.new.id}" -# tenant_id = "${data.azurerm_client_config.current.tenant_id}" -# object_id = "${data.azurerm_client_config.current.service_principal_object_id}" -# key_permissions = [ -# "backup", -# "create", -# "decrypt", -# "delete", -# "encrypt", -# "get", -# "import", -# "list", -# "purge", -# "recover", -# "restore", -# "sign", -# "unwrapKey", -# "update", -# "verify", -# "wrapKey", -# ] - -# secret_permissions = [ -# "backup", -# "delete", -# "get", -# "list", -# "purge", -# "recover", -# "restore", -# "set", -# ] -# certificate_permissions = [ -# "create", -# "delete", -# "deleteissuers", -# "get", -# "getissuers", -# "import", -# "list", -# "listissuers", -# "managecontacts", -# "manageissuers", -# "setissuers", -# "update", -# ] -# } - -# # access policy for the required/created/dedicated/selected keyvault SP user -# resource "azurerm_key_vault_access_policy" "new-user" { -# key_vault_id = "${azurerm_key_vault.new.id}" -# tenant_id = "${var.key_vault_tenant_id}" -# object_id = "${var.key_vault_object_id}" -# key_permissions = [ -# "get", -# "list", -# "update", -# "create", -# "import", -# "delete", -# ] -# secret_permissions = [ -# "get", -# "list", -# "set", -# "delete", -# ] -# certificate_permissions = [ -# "get", -# "list", -# "update", -# "create", -# "import", -# "delete", -# ] -# } - -# # access policy for the required/created/dedicated/selected keyvault SP user -# resource "azurerm_key_vault_access_policy" "new-app" { -# key_vault_id = "${azurerm_key_vault.new.id}" -# tenant_id = "${var.key_vault_tenant_id}" -# object_id = "${var.key_vault_object_id}" -# application_id = "${var.application_id}" -# key_permissions = [ -# "get", -# "list", -# "update", -# "create", -# "import", -# "delete", -# ] -# secret_permissions = [ -# "get", -# "list", -# "set", -# "delete", -# ] -# certificate_permissions = [ -# "get", -# "list", -# "update", -# "create", -# "import", -# "delete", -# ] -# } - From de64d2bc00ada1b28afd35695c246af967ca9681 Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Fri, 29 Nov 2019 08:56:34 +1100 Subject: [PATCH 6/7] add key vault id output --- examples/bootstrap-azure/README.md | 1 + examples/bootstrap-azure/outputs.tf | 4 ++++ 2 files changed, 5 insertions(+) diff --git a/examples/bootstrap-azure/README.md b/examples/bootstrap-azure/README.md index 8cecd4b..de7bd03 100644 --- a/examples/bootstrap-azure/README.md +++ b/examples/bootstrap-azure/README.md @@ -24,6 +24,7 @@ The only required inputs are a object-id and tenant-id to give access to the key | Name | Description | |------|-------------| | key\_vault\_name | | +| key\_vault\_id | | | resource\_group\_name | | | subnet | | | virtual\_network\_name | | diff --git a/examples/bootstrap-azure/outputs.tf b/examples/bootstrap-azure/outputs.tf index b57c27e..acf96f2 100644 --- a/examples/bootstrap-azure/outputs.tf +++ b/examples/bootstrap-azure/outputs.tf @@ -13,3 +13,7 @@ output "subnet" { output "key_vault_name" { value = "${azurerm_key_vault.new.name}" } + +output "key_vault_id" { + value = "${azurerm_key_vault.new.id}" +} \ No newline at end of file From 80891eceeaed264d672f892eda24158ed4277e2a Mon Sep 17 00:00:00 2001 From: ausfestivus Date: Sun, 1 Dec 2019 08:55:58 +1100 Subject: [PATCH 7/7] Revert "add key vault id output" This reverts commit de64d2bc00ada1b28afd35695c246af967ca9681. --- examples/bootstrap-azure/README.md | 1 - examples/bootstrap-azure/outputs.tf | 4 ---- 2 files changed, 5 deletions(-) diff --git a/examples/bootstrap-azure/README.md b/examples/bootstrap-azure/README.md index de7bd03..8cecd4b 100644 --- a/examples/bootstrap-azure/README.md +++ b/examples/bootstrap-azure/README.md @@ -24,7 +24,6 @@ The only required inputs are a object-id and tenant-id to give access to the key | Name | Description | |------|-------------| | key\_vault\_name | | -| key\_vault\_id | | | resource\_group\_name | | | subnet | | | virtual\_network\_name | | diff --git a/examples/bootstrap-azure/outputs.tf b/examples/bootstrap-azure/outputs.tf index acf96f2..b57c27e 100644 --- a/examples/bootstrap-azure/outputs.tf +++ b/examples/bootstrap-azure/outputs.tf @@ -13,7 +13,3 @@ output "subnet" { output "key_vault_name" { value = "${azurerm_key_vault.new.name}" } - -output "key_vault_id" { - value = "${azurerm_key_vault.new.id}" -} \ No newline at end of file